In a lawsuit between a web developer and his former employer, a media agency, a judge in Germany has ruled that using keylogger spyware to monitor one’s employees is against the law. The specific identities of all of the involved parties are private for now.

There are keylogger devices that can be plugged in between a keyboard and a PC. But, most keyloggers today are purely software and come with additional features, such as viewing a target’s monitor output and transmitting screenshots of it. That’s what the malware the employer used was found doing.

The web developer sued his former employer for wrongful dismissal. During April 2015, the employer sent out a group email announcing that internet traffic and other work-computer use would be permanently logged and saved. The email didn’t explain how, but company policy forbade the personal use of their computer and networking equipment.

Shortly after the announcement, the former employee was accused of working on a computer game for another company. He was soon fired.

The former employee claims that he was doing work for his father’s company, but only during his breaks, for only ten minutes per day.

This case highlights that spyware isn’t the preserve of foreign militaries and script kiddies, it can also come from people you interact with in person, such as jealous partners or employers.

Is using keyloggers and other forms of spyware on employees still legal in the United States? The spyware industry certainly hopes so.

Controversial Spyware developer Flexispy describes a “legislative gap” that “does not reach Keylogger technology”. In a nutshell, their advice to potential customers is that it usually is legal for employers to use keyloggers on their employees in the United States, but regulatory specifics vary from state to state.

I’m Canadian, so what about Canada?

Spyware developer Gecko Monitor suggests that people are free to spy on others using its keyloggers “as long as the person who installed the keylogger program is the owner of the computer or device that the software is being installed on”.

Those companies operate legally but have a clear interest in making the legal path look as smooth as possible. If your conscience is OK with keylogging you’d be well advised to seek independent legal advice before you do.

Just because it’s legal does it make it ethical? Tell us what you think in the comments below.

About the author

15 comments on “Fired employee caught by keylogger wins case”

If you’re using your employer’s computer and network, they are within their rights to tell you what you are and are not allowed to use it for. That doesn’t mean companies should prohibit some occasional personal use, if they want to keep their employees happy (consider the cost of that versus other employee benefits), but they’re within their rights to do so.

Do you really want to work at a company which feels it needs to log your keystrokes at your computer? Seems like an IT security budget that could be better spent on management and communications training.

This article raises a number of important issues. However, the conclusion seems to suggest that it is ok in Canada for organizations to install keystroke loggers on their computers. Privacy is partly enforced by the provinces, partly by the federal government, depending on a number of factors, so making a Canada-wide claim should be made with caution. In BC, where I live, the BC Privacy Commissioner has ruled that it is _not_ legal for an organization to install keystroke loggers at will.

In 2012 in it’s decision on R. v. Cole, the Supreme Court of Canada judged that an employee had a reasonable expectation of privacy in employer-issued work computer. The decision was based on the Charter of rights and thus applies for the whole country.

“Controversial Spyware developer Flexispy describes a “legislative gap” that “does not reach Keylogger technology”. In a nutshell, their advice to potential customers is that it usually is legal for employees to use keyloggers on their employees in the United States, but regulatory specifics vary from state to state.”
Did you mean to say above: It is legal for employers to use keyloggers on their employees in the US?

This was likely insider threat detection software that did what it was supposed to do, namely log and report activity regarding IP heading out the door. In the EU, that amounts to unlawful surveillance without detailed notice, and either consent or an investigative escalation policy and procedure that does not unmask the perpetrator until a formal investigation process is properly approved and documented. This type of software or compensating controls are required for US defense contractors and others dealing with sensitive data, as well as companies who have significant IP assets subject to theft risk. Done properly, it is legal most places.

The distinction of malware is any program or hardware built and used to be destructive, disruptive, and possibly financially damaging. This keylogger may not be malware in this case, as it is the organization itself that install the keylogger onto its own devices for additional monitoring. Any entity may have right and reason to add additional monitoring if they feel it is important enough. On this case, I believe that the man had been plainly told not to use the company’s hardware and network for personal use. It was not his to use at his discretion outside of what he had been assigned to do by the company. Whether or not you disagree that keyloggers should be used at all, you must accept that he was in violation of his company’s acceptable use policy. The keylogger is what finally caught him, as was intended by his employer who owned the hardware, so nothing “mal” happened in how he was caught. He may have not been made aware that there was a keylogger, but that is irrelevant, he again was expected to follow his company’s AUP and he need not know. Obfuscation is an important part of security that should not be disregarded because you think it infringes on your imagined right to play time. The nay-sayers against the use of legal keyloggers know that it is their ability to waste time that is being threatened, and that is why they are for the ruling against the use of legal keyloggers.

There is also always the downside to storing all that keylogger data, in that storing data makes it a target and can be very exploitable by hackers. Just think what passwords and private valuable IP could be pieced together from all those logs. So much to threaten the company with, or use against them or to sell to dodgy competitors or any criminals who fancy phishing them even if no passwords saved.

With so much of what we have to do in modern society only being able to be done online, then prohibiting all personal use at work is possibly a grey area. Consider the fact that if I don’t have a PC of my own, how do I access notices from the tax office about changes to my tax code resulting from that very employment? Would checking my state pension status be “personal use”?
When I ran the IT for a company, I put an old PC running Linux – basically just to provide web access – in the coffee room for anyone to use for things they needed to do. That way I could keep their personal stuff off their desktops and it would be obvious if anyone was spending too much time doing personal stuff.

This is a complex issue. Companies have the right to protect their intellectual property, to protect their customer’s information, and to ensure their equipment is being used lawfully and within the bounds of their corporate policies. But it certainly leaves open the door to privacy violations. Most US companies have a “no privacy expectation” policy for their computers and networks for their employees for this reason. Few things are as harmful to a company’s reputation than a major data breach. This does leave open cases where HR violations can be vague and up to interpretation. There is also the issue that the company may be capturing very sensitive personal information, like their bank login credentials, or other personal passwords. As our network use becomes more and more pervasive the merging of personal and work time and activities becomes extremely blurred. This is particular messy with mobile devices that are often both work and personal devices. If a company wants me to be a 7×24 hour employee and give me the tools to do that (mobile devices, take home laptops, etc.) then there has to be a compromise on what is personal and what is work related activities.